Launchpad.net

CVE 2013-4242

GnuPG before 1.4.14, and Libgcrypt before 1.5.3 as used in GnuPG 2.0.x and possibly other products, allows local users to obtain private RSA keys via a cache side-channel attack involving the L3 cache, aka Flush+Reload.

Related bugs and status

CVE-2013-4242 (Candidate) is related to these bugs:

Bug #1084279: buffer overflow crash in libgcrypt when open files > 1024

Summary				In	Importance	Status
	1084279	buffer overflow crash in libgcrypt when open files > 1024		libgcrypt11 (Ubuntu)	High	Fix Released

Bug #1105758: On my PC, gcry_cipher_encrypt() doesn't release all x87 FPU data registers .

Summary				In	Importance	Status
	1105758	On my PC, gcry_cipher_encrypt() doesn't release all x87 FPU data registers .		libgcrypt11 (Ubuntu)	Undecided	Fix Released

See the

CVE page on Mitre.org for more details.

References

MLIST: [gnupg-announce] 20130...
MISC: http://bugs.debian.org...
MISC: http://eprint.iacr.org...
DEBIAN: DSA-2730
DEBIAN: DSA-2731
SUSE: openSUSE-SU-2013:1294
UBUNTU: USN-1923-1
BID: 61464
SECUNIA: 54318
SECUNIA: 54321
SECUNIA: 54332
SECUNIA: 54375
CERT-VN: VU#976534
REDHAT: RHSA-2013:1457
CONFIRM: http://www.oracle.com/...
CONFIRM: http://kb.juniper.net/...